OFFICIALS LEGISLATION INTEREST GROUPS PUBLIC STATEMENTS COMMITTEES VETOES

Statements on Introduced Bills and Joint Resolutions

Date: Feb. 28, 2005
Location: Washington, DC
Issues: Animals and Wildlife

STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS -- (Senate - February 28, 2005)

By Mr. LEAHY:

S. 472. A bill to criminalize Internet scams involving fraudulently obtaining personal information, commonly known as phishing; to the Committee on the Judiciary.

Mr. LEAHY. Mr. President, today I am introducing a bill, the Anti-Phishing Act of 2005, which targets a serious threat to the security of the Internet.

Phishing is a rapidly growing class of identity theft scams on the Internet that is causing both short-term losses and long-term economic damage. In the short-term, these scams defraud individuals and financial institutions. Estimated losses from phishing attacks are now in the billions of dollars, and those losses are growing. The short-term losses, however, are just a chapter in a larger story. In the long-term, phishing undermines the public's trust in the Internet. By making consumers uncertain about the integrity of the Internet's complex addressing system, phishing threatens to make us all less likely to use the Internet for secure transactions. If you can't trust where you are on the web, you are less likely to use it for commerce and communications.

Those well versed in popular culture may guess that phishing was named after the phenomenally popular Vermont band, Phish. But phishing over the Internet was in fact named from the sport of fishing, as an analogy for its technique of luring Internet prey with convincing email bait. The "F" is replaced by a "P-H" in keeping with a computer hacker tradition.

Phishing attacks usually start with emails that are, in Internet jargon, "spoofed." That is, they are made to appear to be coming from some trusted financial institution or commercial entity. The spoofed email usually asks the victim to go to a website to confirm or renew private account information. These emails offer a link that appears to take the victim to the website of the trusted institution. In fact the link takes the victim to a phony website that is visually identical to that of the trusted institution, but is in fact run by the criminal. When the victim takes the bait and sends their account information, the criminal uses it-sometimes within minutes-to transfer the victim's funds or to make purchases. Phishers are the new con artists of cyberspace.

Phishing is on the rise. The Anti-Phishing Working Group reports that the number of new phishing messages climbed at a monthly rate of 38 percent in the last six months of 2004. The number of new phishing websites has climbed 24 percent per month since last August. And phishing attacks are increasingly sophisticated. Early phishing attacks were by novices, but there is now evidence that some attacks are backed by organized crime. Some of the attacks these days also include spyware, a type of software that is secretly installed on the victim's computer to surreptitiously capture account information when the victim visits legitimate websites.

In addition, the Internet faces the threat of "pharming." This insidious crime does not rely on email bait. Rather, it attacks web browsers and the Internet's addressing system. The effect is that even individuals who type a desired Internet destination into their web browser may be redirected to a phony web site, with the same disastrous result as clicking on the phony link in a phishing attack.

Some phishers and pharmers can be prosecuted under wire fraud or identity theft statutes, but often these prosecutions take place only after someone has been defrauded. For most of these criminals, that leaves plenty of time to cover their tracks. It has been reported that the average phishing website is active on the Internet for less than six days. Moreover, the mere threat of these attacks undermines everyone's confidence in the Internet. When people cannot trust that websites are what they appear to be, they will not use the Internet for their secure transactions. Traditional wire fraud and identity theft statutes are not sufficient to respond to phishing and pharming.

The Anti-Phishing Act of 2005 protects the integrity of the Internet in two ways. First, it criminalizes the bait. It makes it illegal to knowingly send out spoofed email that links to sham websites with the intention of committing a crime. Second, it criminalizes the sham websites that are the true scene of both types of crime.

There are, of course, important First Amendment concerns to be protected. The Anti-Phishing Act protects parodies and political speech from being prosecuted as Phishing. We have worked closely with various public interest organizations to ensure that the Anti-Phishing Act does not impinge on the important democratic role that the Internet plays.

To many Americans, phishing and pharming are new words. They are certainly a new form of an old crime. They are also very serious, and we need to act aggressively to keep them from eroding the public's trust in online commerce and communication. I look forward to working with others in the Senate in addressing this growing threat to the Internet with effective and responsible action.

http://thomas.loc.gov

arrow_upward